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of a message sent by electronic mail to select a date , time, 
or event at wh ich the message and all incarnations of the 
message to selt-destruct , regardless of the number and types 
of computers or software systems that may have interacted 
with the message, a nd/or to include processing and handling 
limitations. The necessary control over the message is 
'achieved by encrypting the message and enabling viewing 
only through a viewer applet arranged to facilitate destruc- 
tion of the message upon the occurrence of the selected 
expiration time, date, or event, and/or to implement the 
handling and processing limitations. A central server can be 
used to exercise additional control over the message by 
serving as a proxy destination, and by transmitting the 
encrypted message to the viewer applet. In the case where a 
central mail server is required to enable forwarding of 
messages, the central server tracks the messages and com- 
piles lists including the identities of all individuals or groups 
to whom the message has been forwarded, and information 
on handling of the message by those to whom the message 
has been sent or forwarded. 
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SYSTEM AND METHOD FOR ENABLING 
THE ORIGINATOR OF AN ELECTRONIC 
MAIL MESSAGE TO PRESET AN 
EXPIRATION TIME, DATE, AND/OR EVENT, 

AND TO CONTROL AND TRACK 5 
PROCESSING OR HANDLING BY ALL 
RECIPIENTS 

CROSS-REFERENCE TO RELATED 

APPLICATION 10 

This application is a continuation-in-part of U.S. patent 
application Ser. No. 09/390363, filed Sep. 7, 1999. 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates to various improvements on the 
electronic mail system and method described in U.S. patent 
application Ser. No. 09/390,363, herein incorporated by 
reference. 20 

The improvements are (i) the addition to the systems 
described in the parent application of an electronic mail 
control applet that allows the sender or originator of an 
electronic mail message to control the lifespan and handling 
of the message after it is sent while using his or her existing 25 
electronic mail application to create, modify, and send the 
message; (ii) the addition of a feature that allows, for 
purposes of maximizing the efficiency of lifespan and han- 
dling control of a message after sending, the addition or 
deletion of electronic mail wrapper information such as the 30 
time of sending; (iii) in embodiments where a central mail 
server is used, the use of session keys, key renewals, or 
required check-ins to enable central server control of mes- 
sage access while permitting storage of the message on the 
recipient's computer, or retention by the central server of 35 
parts of the electronic mail package, such as the message 
wrapper, handling and encryption key information, and/or 
portions of the message, with storage of the remainder of the 
message on the recipient's computer; and (iv) in embodi- 
ments that require handling of forwarded electronic mail 40 
message by a central mail server, the addition of message 
tracking and compilation of lists including the identities of 
individuals or groups to whom the message has been 
forwarded, and information on handling of the message by 
those to whom the message has been sent or forwarded. 45 

2. Description of Related Art 

The following description of "related art" consists of 
seven sections (i)-(vii). The first section begins with a 
general description of the properties of electronic mail that 
serve to define the context of the invention. The second 50 
section is a discussion of a prior art system that purports to 
provide a framework for controlling distribution of elec- 
tronic documents in general, known as the "virtual distri- 
bution environment" (VDE) and disclosed in U.S. Pat. Nos. 
5,892,900, 5,910,987, 5,915,019, and 5,917,912. The third 55 
section of this description of related art describes systems 
specific to electronic mail and that provide controls of such 
processing or handling functions as forwarding and reply, 
while the fourth section describes a system, disclosed in U.S. 
Pat. No. 5,870,548, that provides for cancellation of elec- 60 
tronic mail messages after sending. The fifth section of this 
description of related art discusses a patent related to deliv- 
ery of an interactive television program in relation to the 
feature of the invention involving distribution of a viewer 
applet to facilitate control of expiration dale and processing 65 
functions. The sixth section summarizes the differences 
between the prior art and the concepts disclosed in the parent 
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application, and the seventh section discusses the context 
and specific problems addressed by the improvements dis- 
closed in the present continuation-in-part application, 
(i) Definition of "Electronic Mail" 

Electronic mail can be defined as a system or method for 
transmitting electronic data or text files from one computer 
to another based solely on a destination address without 
reference to the content of the files or, in general, to the route 
taken to reach the destination address, and in a form that 
permits the files to be accessed and manipulated at the 
destination address at the convenience of the recipient. 

Electronic mail defined in this manner can be compared to 
postal mail, in which letters are routed solely to their 
destination based on addresses written on envelopes, the 
content of the messages being hidden in the envelopes, and 
the envelopes being placed in a mailbox for later retrieval at 
the convenience of the addressee. 

Those skilled in the art will appreciate that the above 
definition is not the only possible definition of electronic 
mail, and that the systems, methods, and software described 
in the parent application and in the present continuation-in- 
part application, hereinafter referred to as "the invention," 
are therefore not necessarily to be limited by this definition. 
Instead, the definition is intended as an aid to understanding 
the manner in which the invention differs from other types 
of systems and methods which might, like the present 
invention, provide for sender controls and a limited lifespan 
for the transferred files, but which do not have the above 
characteristics of electronic mail. Examples of conventional 
file or data transfer systems that do not fall within the 
definition of electronic mail, but in which control of infor- 
mation is retained by the originator or sender, include video 
pay-per-view systems that rely on signal scrambling and the 
use of converter "boxes" to unscramble the signal and 
permit viewing of a video when payment has been received, 
and shareware or demonstration software downloads that 
self-destruct after a trial period if the shareware is not 
registered. 

The "convenience of the recipient" aspect of the definition 
is important because it distinguishes electronic mail from 
real time electronic data transfers such as the file transfer 
protocol (FTP), and implies that electronic mail files must be 
stored somewhere and directly accessible at least once by 
the recipient at some time following receipt. It is this storage 
that gives rise to the problem addressed by the present 
invention, namely the extended life of an electronic mail 
message. While storage is an essential aspect of electronic 
mail, it will be appreciated that the files do not need to be 
stored in plain text form, and that the local storage need not 
be on the recipient's computer or even on a network server 
such as an I MAP server. 

Another important aspect of the definition of electronic 
mail is that the files transferred are data or text files that 
contain information, rather than executable programs. It is a 
trivial matter to program self-destruction into an executable 
program, but a data or text file cannot be deleted without the 
aid of an external program, which in conventional electronic 
mail systems is entirely under the control of the recipient. 

A third important aspect of the definition of electronic 
mail is that the electronic mail messages are relayed through 
a network of intermediate hubs based solely on the desti- 
nation address, much as envelopes are handled by a con- 
ventional postal mail delivery system. The contents of an 
electronic mail object do not affect its ability to be delivered 
anymore than does the content of an envelope, and thus the 
data fields or contents of an electronic mail object can be 
formatted in any desired manner (with the exception of 
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certain fields reserved for the writing of routing or tracking 
information that can be used for debugging). In particular, it 
is^possjhlfi tn insert flags thaf cause actions to he performed 
at the receiving end of the transmission, and that are unique 
to the sending and receiving software, without requiring new 
data structures or substantive revision of the conventional 
electronic mail protocols, and without affecting the trans- 
mission. In the case of Simple Mail Transfer Protocol 
(SMTP) transmission, these flags can be included as exten- 
sions of the destination address permitted by SMTP, or as an 
internal message header that is treated by SMTP as text or 
data and that is recognized only by the receiving software. 

The broad definition of electronic mail given above can be 
implemented in numerous ways, and the present invention is 
intended to apply to all such implementations. The most 
common implementation is currently SMTP, which deter- 
mines how electronic mail objects are routed to a destination 
address, and its related protocols, the Post Office Protocol 
(POP) or Internet Mail Access Protocol (IMAP), which set 
up "mailboxes" at the destination address, either locally or 
on a mail server, following transmission by SMTP. The 
invention is of course explicitly applicable to electronic mail 
sent via SMTP. In addition, messaging systems such as 
Lotus Notes™ may be considered to be within the definition 
of electronic mail for purposes of the invention, 
(ii) "Virtual Distribution Environments" and the Concept of 
Control 

In order to limit the lifespan of a message as in the 
invention, it is necessary to exercise some control over the 
message. As a result, any system that is capable o f Jimiting 
t he lifespan of a message a lso must be capable of enabling 
the sender to limit handling of the message, including 
forwarding, copying, printing, and so forth. 

While providing such control is an important feature of 
the invention, it is not a unique feature. In fact, a system 
currently exists, at least in the form of a patent specification, 
which in theory provides all of the control necessary to 
achieve virtually any desired handling or lifespan limitations 
on any type of transferred file. The system is known as the 
Virtual Distribution Environment (VDE) and is disclosed in 
U.S. Pat. Nos. 5,892,900, 5,910,987, 5,915,019, and 5,917, 
912, all entitled "System and Methods For Secure Transac- 
tion Management and Electronic Rights Protection" (the 
VDE patents). The problem with VDE as a solution to the 
problem of message lifespan is that, in addition to not 
suggesting the concept of enabling the originator of an 
electronic mail file to control its lifespan, the controls 
implemented by VDE are too complex to be implementable 
through conventional mail protocols such as SMTP. 

In general, there are three ways that control of a trans- 
ferred file might be retained by the originator. The first, used 
for pay-per-view systems, is to prevent any copying or 
recording of the files, so that the files can only be viewed as 
they are being broadcast or downloaded. The second, used 
in the case of executable software downloads, is to include 
self-destruct instructions in the program instruction set. In 
the case of non-streaming, non-execu table files, however, a 
third method is required. This is the method used by the 
presented invention, and is also the method implemented by 
VDE. In its most general form, this third method of trans- 
ferred file control involves encryption of the files so that they 
can only be processed by software designed to implement 
the desired controls. The software that decrypts the files can 
be programmed to destroy the files at a desired date or upon 
the occurrence of a particular event, no matter how often the 
files have been copied or re -transmitted. 

While the system and method described in the VDE 
patents thus utilizes the same general principle as the present 
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invention, namely retaining control of files distributed over 
an open network by encrypting the files and utilizing soft- 
ware at the receiving end to exercise control over the files, 
including destruction of files (mentioned, for example, in 

5 col. 169, lines 61 et seq. of U.S. Pat. No. 5,917,912), and 
even protection of electronic mail (col. 278, lines 58 et seq. 
of U.S. Pat. No. 5,917,912), the details of the system and 
methods described in the VDE patents are substantially 
different than those of the present invention. Instead of 

10 utilizing existing communications protocols, VDE requires 
revision not only of the file origination, transmission, and 
receiving programs, but also "component, distributed, and 
event driven operating system technology, and related 
communications, object container, database, smart agent, 

15 smart card, and semiconductor design technologies" (Col. 8, 
lines 1-7 of U.S. Pat. No. 5,917,912). As a result, even 
though the VDE can be made to perform virtually any 
desired control function it is simply not practical in the 
context of electronic mail. 

20 The impracticality of the systems disclosed in the VDE 
patents is explained at length in a later patent by the same 
assignee, U.S. Pat. No. 5,920,861, which compare VDE to 
a "blank canvas" on which the "master painter" can create 
his or her masterwork (col. 3, lines 1-12 of U.S. Pat. No. 

25 5,920,861), but which is not suitable for use by the average 
end user. To solve the ease-of-use and interoperability 
problems, the later patent proposes to implement the generic 
template structure of the "virtual distribution environment" 
by creating a specific machine readable data structure. This 

30 solution to the problem is exactly opposite the solution 
provided by the present invention, which is to provide an 
applications level program that is completely compatible 
with existing protocols. This is possible because t he present 
inventio n, unlike the VDE system, seeks to provid e specific 

35 control functions such as the specification of an expiration 
date for a message, in a specific context, namely electronic 
mail. It designed to work within existing communications" 
structures, and in particular within existing SMTP, POP, and 
IMAP formats, while providing a simple user interface that 

40 will be as familiar to the average electronic mail user, and as 
easy to use, as existing electronic mail programs, 
(iii) Control in the Specific Context of Electronic Mail 

While the VDE concept provides a framework by which 
sufficient control of electronic mail could be achieved so as 

45 to enable a sender to limit the lifespan of the electronic mail, 
the complexity of the VDE system and the skill required to 
implement and use the system makes the system unlikely to 
have any practical application to electronic mail as defined 
above. 

50 On the other hand, those systems described in prior 
patents that are specifically directed to the concept of 
enabling originator control of electronic mail messages, for 
the most part to ensure that a message will be read or 
forwarded rather than to limit the lifespan, do not provide for 

55 a sufficient level of control, at least of messages sent over an 
open network, to ensure that all incarnations of a message 
will in fact be expunged. While it might seem that the 
advantages of providing sufficient control of electronic mail 
to ensure that messages can be made to expire at a time, date, 

60 or upon the occurrence of an event selected by the originator 
might have been grasped by designers of the prior systems, 
there are reasons why the advantages were in fact not 
apparent to such designers. 

First, since electronic mail has been designed to be 

65 analogous to postal mail and postal mail has no function 
analogous to message expiration, except for the use of 
disappearing ink, it is likely that the concept of enabling the 
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originator of a message to control the expiration and limit time the cancellation request was sent to the original recipi- 

use of the message was simply not considered. The expira- ent. Furthermore, while it might be possible to prevent 

tion of messages has previously been the province solely of forwarding, and thereby help ensure cancellation, there are 

fiction, exemplified by the self-destructing tape recorder in numerous reasons why a sender might wish to permit 

the opening scene of the television show Mission 5 forwarding of a message and yet have all incarnations of the 

Impossible, and not as a way to give any sender of a message electronic mail message, rather than just the original 

control of the lifespan of the message. incarnation, expire at a particular date or time. For example, 

Second, the systems and methods disclosed in the prior the message could contain proprietary data for use by 

patents are for the most part intended solely to force a vendors, preliminary test results or draft research papers, or 

response from the recipient, or facilitate distribution and 10 confidential work product to be shown to groups of clients, 

forwarding of a mass mailing, with no consideration of what In cases where forwarding of the message must be 

happens to the message after the response is made or the permitted, the ability not only to request cancellation by the 

message is forwarded, and no provision for limiting either original recipient, but also to track subsequent recipients of 

the lifespan or the use of a message once an appropriate forwarded messages would be required in order for the 

response has been made. is system of U.S. Pat. No. 5,870,518 to ensure execution of a 

For example, U.S. Pat. No. 5,325,310 discloses a system cancellation request by the subsequent recipients, which is 

which prevents deletion of an electronic mail message until impossible using existing electronic mail systems designed 

it has been viewed and/or forwarded, while U.S. Pat. No. to transmit electronic mail over an open network. 

5,878,230 discloses a system designed to force a reply or (v) Distribution of Viewer Applets 

forwarding, and U.S. Pat. No. 5,125,075 is one of several 20 An important feature of the present invention concerns 

patents that disclose systems for controlling routing and distribution of the viewer applet that enables or implements 

access to electronic mail "circulars." It is not surprising that destruction of an e-mail message at a predetermined date, 

systems designed to ensure that an electronic mail message time, or event. The system and method of the invention 

is read and disseminated in a desired manner have not permits the originator to address the message to any desired 

provided for expiration of the messages being disseminated. 25 recipient equipped to receive electronic mail, whether or not 

The only systems that actually provide for a limited the recipient is in possession of the viewer applet. This is 

message lifespan are those that aut omatically delete files accomplished either by first notifying the recipient that an 

after a predetermined period of time in order to clear spa ce encrypted message has been received and then sending the 

on a disk drive. These systems do not provide for originator viewer applet to recipient upon request, or by attaching the 

control of the lifespan of the message, and in particular one 30 viewer applet to the message and notifying the recipient so 

that is to be sent over an open network rather than being that the message can be immediately installed by the user, or 

retained on a local area network server. An example of this even by causing the viewer applet to be installed automati- 

type of system is disclosed in U.S. Pat. No. 5,598,279, which cally upon opening of the electronic mail in a manner 

describes a local area network server that provides for timed analogous to a benevolent electronic mail virus, 

destruction of electronic mail and other files to save space on 35 U.S. Pat. No. 5,877,755 discloses a somewhat similar 

the server, but without the inclusion of an end-user interface arrangement in the context of an interactive broadband 

that permits the originator of the electronic mail to select an multimedia system. In its broadest form, the system of U.S. 

expiration date, or any controls that would make such an Pat. No. 5,877,755 provides for transmission to a customer 

interface possible. of the executable program file that permits use of the 

(iv) Cancellation of an Electronic Mail Message-U.S. Pat. 40 interactive system to the customer, and then having the 

No. 5,870,548 executable program file request downloading of the multi- 

The one patent that in a sense involves originator control media data file, 
of the lifespan or expiration of electronic mail messages is The present invention extends the concept of supplying 
U.S. Pat. No. 5,870,548. However, the lifespan control executable program files that request data or files (which is 
provided by the system disclosed in this patent is in the form 45 also the concept behind "push" applets that plug into a web 
of the ability to cancel messages, rather than to select a browser) to electronic mail with dramatic results. Whereas 
lifespan prior to sending the message. As with the forward- in all prior commercial software distribution systems includ- 
ing or response requiring systems, implementation of the ing the system of U.S. Pat. No. 5,877,755, potential users 
cancellation message is left to the recipient, and no provision must be identified and persuaded to initiate contact in order 
is made for dealing with of copies of the original message 50 to obtain the executable program files, and so forth, the 
that have already been forwarded. system and method of the present invention can be propa- 

U.S. Pat. No. 5,870,548 can be fairly said to represent the gated primarily by the users themselves without the need for 

current wisdom in the art of electronic mail handling. advertisements, central mailing lists, and so forth. Each time 

Basically, the view has generally been that "once the mes- a user of the system sends an electronic mail message to a 

sage is submitted to the Internet, it cannot be directly altered, 55 non-user and the non-user chooses to read the message, the 

canceled, or retracted by the originating program" (U.S. Pat. non-user becomes a participant in the system. From a 

No. 5,870,548, col. 1, lines 37-39). The solution proposed marketing and distribution standpoint, this aspect of the 

in U.S. Pat. No. 5,870,548 is simply to send a follow-up present invention represents an entirely new paradigm, 

"action message" to the recipient, asking for cancellation. (vi) Summary of Differences Between Concept Disclosed in 

The problem is that by the action message has been sent, the 60 Parent Application and Prior Art 

original message might have been copied or forwarded and While a number of advantages of controlling of the 

therefore out of control of the original recipient, even if the lifespan of electronic mail messages as described in the 

recipient were to cooperate and cancel the message. parent application should be immediately apparent to those 

Even if cancellation of a message sent by the system of skilled in the art, none of the prior systems discussed above 

U.S. Pal. No. 5,870,548 could be assured, the system 65 is intended to provide such control, nor are they suitable for 

described therein does not take into account the possibility use in providing such control. The system described in the 

that the message might already have been forwarded by the VDE patents, i.e., U.S. Pat. Nos. 5,892,900, 5,910,987, 
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5,915,019, and 5,917,912, provides a potential general server to hold all electronic mail messages having lifespan 
framework by which electronic mail messages could be or other handling limitations and until expiration, it is more 
limited, but the requirement for new data structures, efficient to store at least a portion of the message on the 
hardware, and programming paradigms makes it unsuitable recipient's computer. This can be done by having the vi£W£t- 
for practical application to an electronic mail system. In 5 applet assume complete responsibility for message handling 
contrast, although the system and method of the present and expiration , by having the viewer applet retrieve missing 
invention are not limited to any particular electronic mail portions of the message, the message wrapper, and/or nan- 
protocol, they nevertheless are especially suitable for imple- dling and encryption key information each time the message 
mentation using existing electronic mail protocols, without is to be viewed or handled. This can also be done by having 
requiring new data structures, hardware, or other security 10 the central server retain the keys used by the viewer applet 
features. Furthermore, while the remaining patents dis- to enable viewing or handling of the message, and transmit 
cussed above generally provide for sender control in the the keys to the viewer applet either on a session-by-session 
specific context of electronic mail processing or handling, basis or on a periodic basis. Alternatively, the viewer applet 
they do not offer (and do not need to offer) a level of control can simply be required to check-in with the central server to 
sufficient to ensure that the electronic mail message will in 15 ensure that the clock used by the viewer applet has not been 
fact be expunged at a desired date or time, or upon the tampered with or malfunctioned. The requirement that the 
occurrence of a preselected event, and thus are also unsuit- viewer applet retrieve information or portions of the mes- 
able for implementing the invention. Finally, unlike central- sage from the central server each time the message is to be 
ized digital file distribution systems such as the one dis- viewed or handled is necessary to ensure monitoring of each 
closed in U.S. Pat. No. 5,877,755, the pre-distribution or 20 transaction involving the message, while requiring less 
simultaneous distribution of the viewer applet with the contact between the central computer and the recipient 
electronic mail message, which enables the message can be computer is more efficient. 

read by any electronic mail user, permits the "infrastructure" The final improvement, which was briefly disclosed in the 

necessary to implement the system to be self -propagating parent application but is discussed in greater detail herein, 

and thereby create what is effectively not only a "virtual 25 has the most far reaching potential of any of the improve - 

distribution environment," but a revolution in distribution ments described in this continuation-in-part application, and 

and marketing that has the potential to do for software, or at relates to a by-product of the manner in which a central mail 

least electronic mail software, what Henry Ford did for server is used to control forwarding and handling of mes- 

automobiles or Ray Kroc for hamburgers. sages. The improvement is that, in the embodiments of the 

(vii) Background of Improvements Described in the Present 30 invention where a central server is involved, the central 

CIP Application server may be used to track all persons to whom the message 

The first improvement to the concept described in the has been forwarded, no matter how many times the message 

parent application relates to ease-of-use of the sender's has been forwarded. This enables the mapping of affinity 

electronic mail program. As is described in detail below, the groups having a common interest in way heretofore consid- 

electronic mail controls described in the parent application 35 ered to be virtually impossible. 

can be implemented as an applications level electronic mail Currently, mailing lists are generated by purchasing lists 
program with its own user interface. Despite the fact that from providers of related services, products, or information, 
such a program can be made to resemble, subject to any legal and by compiling lists of persons who inquire about the 
restrictions, any popular electronic mail program with any services, products, or information, visitors to web sites, and 
desired additional usability enhancements, it would also be 40 even persons who live in a certain area or otherwise are 
desirable if the lifespan and handling restrictions could be demographically likely to show interest in the service or 
implemented without the need for a separate applications product offered by the mailer. This process of compiling 
level electronic mail program, i.e., if the invention could be mailing lists is expensive, captures numerous recipients who 
implemented within the sender's existing electronic mail are not interested in the services, products, or information to 
program. This would save system resources and reduce the 45 which the mailing is directed, and on the other hand is likely 
learning curve for the sender or originator of the message, to miss many potentially interested parties. The invention, in 
and is achieved in accordance with the preferred embodi- contrast, offers the possibility of providing mailing lists 
ments described below by providing an electronic mail based on records of where a message has been forwarded, in 
proxy which creates a window with the desired controls effect putting to work the contacts and knowledge of the 
following interception of a send request by the electronic 50 original recipients of the message to create a self- 
mail program, and/or which modifies addresses in the exist- propagating mailing list limited to those most likely to be 
ing electronic mail program's address book. interested in the products, services, or information. 

The second improvement relates to the electronic mail For example, the product, service, or information provider 

"wrapper," by which information concerning the sender and might send out an initial e-mailing to potentially interested 

the date the message was sent is added to the electronic mail 55 parties assembled into a conventional mailing list. Only 

message. All current electronic mail protocols include such those recipients of this e-mailing who are most interested in 

a wrapper. In many cases it is as important to control the the product are likely to forward the information to others, 

future handling of the wrapper information and the associa- and only to those who they know are likely to be interested 

tion of the wrapper with the message, as it is to control the in the mailing. It is very likely that a provider could use and 

future handling of the message itself. By using an electronic 60 be willing to subscribe to a service that is able to track such 

mail server and/or cooperating viewer applet, the electronic forwarding of their message. Again, therefore, the invention 

mail wrapper can be stripped or edited in any desired manner provides revolutionary advances in marketing and dissemi- 

before the message is presented to the recipient, or the nation of information, replacing the old hit-or-miss methods 

wrapper can be offered as an optional addition or separately of compiling mailing lists by a much more focused and 

from the main message. 65 essentially self-propagating listing which should benefit not 

The third improvement relates to the storage of messages only the provider of products, services, and information, but 

on a central mail server. While it is possible for the central also those who would be interested in the mailing as well as 
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those whose mailboxes are full of "spam" and are not likely It is an eighth objective of the invention to provide various 

to be interested in the mailing. methods for establishing an electronic mail system as 

Not only does the invention make it possible to contact the described above, and in particular for distributing origina- 

personal contacts of those who have received an e-mailing tion and viewer software, in a rapid and efficient manner, so 

(i.e., those who follow the "word of mouth" generated by a 5 that senders will be able to utilize the controls provided by 

mailing) as it is forwarded from interested parties to poten- me invention with messages sent to a large number of 

dally interested parties, but the invention also enables the potential recipients. 

identification of the interested contacts of any of the selected _ . . . ,. . , . . t . . 

f . . J It is a ninth objective of the invention to provide elec- 

su -groups o recipien . tronic mail software which allows the originator of a mes- 

SUMMARY OF THE INVENTION io sag e to use an existing electronic mail application for all 

It is accordingly a first objective of the invention to conventional electronic mail functions, while still enabling 

provide an electronic mail system and method in which the to© originator to selectively control the expiration date of a 

originator or sender may control the lifespan of the message, message and such processing functions as printing, copying, 

so that the message, and all copies of the message anywhere fl nd forwarding of the message. 

in the world, disappear at the appropriate time. 35 It is a tenth objective of the invention to provide an 

It is a second objective of the invention to provide an electronic mail system and method which enables control of 

electronic mail system and method in which all versions and which portions of the electronic mail wrapper will be deleted 

copies of the message ar e caused to be erased at a time or or transmitted to the recipient or recipients of the message. 

date selected by the originator or sender using a simple 2Q It is an eleventh objective of the invention to provide an j 

electronic mail client that resembles a conventional elec- electronic mail system and method which tracks information « 

tronic mail client or that adds the necessary controls to the concerning the usage and handling of the message by all \ 

originator or s ender* s existin g electronic mail application. recipients or any individual or group of recipients, including 

It is a third objective of the invention to provide an without limitation records or information concerning who 

electronic mail system and method in which all versions and 25 received the message, who forwarded the message, who 

copies of the message are caused to be erased at a time or modified the message, the electronic mail addresses of all of 

date selected by the originator or sender, and which requires these entities, and the dates and times of all transactions 

only a simple viewer applet that can be distributed to the relating to forwarding and handling of the message, 

recipient with the message whose lifespan is to be con- It is a twelfth objective of the invention to provide records 

trolled. 30 or information on the usage and handling of a message by all 

It is a fourth objective of the invention to provide an recipients of the message or by any defined sub-groups of 

electronic mail system and method in which all versions and recipients, and further provides for control or modification 

copies of the message are caused to be erased at a time or of the lifespan and/o r handling limitations of messages^ 

date selected by the originator or sender, and which also received by members of any such sub-groups. 

provides sender control of electronic mail processing or 35 i n accordance with the principles of several preferred 

handling functions such as forwarding, modification, or embodiments of the invention, the objectives relating to 

printing. sender control of the lifespan and handling of messages sent 

It is a fifth objective of the invention to provide an over an open network are achieved by providing an elec- 
electronic mail system and method in which all versions and tronic mail system and method in which the viewing of the 
copies of the message are caused to be erased at a time or 4 q electronic mail message is possible only through a viewer 
date selected by the originator or sender, and yet which does programmed to execute permitted handling and/or process- 
not require the establishment by the originator of a virtual ing functions, and which in which only encrypted versions 
distribution environment or network, the system and method of the electronic mail are permitted to exist. Unlike the 
instead being set-up either by using a centralized server to "containers" of the virtual distribution environment 
automatically distribute the necessary viewer each time a 45 described in U.S. Pat. Nos. 5,892,900,5,910,987, 5,915,019, 
new client receives a message from the server that can only and 5,917,912, the electronic mail packages of the present 
be read by the viewer, or by including the viewer with invention can be sent through existing conventional elec- 
message, without the need for potential clients to take any tronic mail distribution channels over an open network such 
action at all other than, optionally, an indication of desire to as the Internet employing standard protocols such as SMTP, 
receive messages originated by software utilizing the prin- 50 and a simple user interface that can be used by any electronic 
ciples of the invention. mail user, without the need for enhanced or new data 

It is a sixth objective of the invention to provide software structures. On the other hand, unlike the electronic mail 

for managing electronic mail that e nables the originator of cancellation structure of U.S. Pat. No. 5,870,548, access and 

the messa ge to set, at the time that he or she composes the handling controls to the message are always retained by the 

message, a self destruct date and time for that email s such 55 originator of the message. 

that, upon that date and time, a nd independent, world wide, Thus, in its broadest form, the invention involves con- 

of the number and types of computers/software that may^ trolling access to the electronic mail message by permitting 

e ventually interact with the message, the number of people the message to be viewed and manipulated only by a viewer 

who may eventually receive the message, or the number of program or applet responsive to the commands set by the 

handling incidents that may eventually impact the message, 60 originator of the message. The rnqimanrte may ^ 

the message and all of its incarnations will vanish. ted in the form of message attributes includ e^ <> a header 

It is a seventh objective of the invention to provide that forms a part of the electronic mail object^ and that 

software for managing electronic mail that ensures selective normally includes such information as the date the message 

sender control of such processing functions as printing, was created, the time that the message was sent, the sender, 

copying, and forwarding, and yet that is relatively simple to 65 a title or name of the message, and other information about 

implement and that can be used with existing electronic mail the document. Such attributes are commonly referred to as 

protocols. an Interchange Document Profile (IDP). It has previously 
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been known to use space in the I DP to cause a message to encrypting transmissions from the central server to the 
be automatically forwarded or resent, or to require a persis- viewer applet. In the second preferred embodiment of the 
tent reply, as disclosed for example in U.S. Pat. Nos. invention, the viewer applet's public key is preferably sent 
5,878,230 and 5,325,310, but the systems disclosed in these back to the original sender for use in encrypting the trans- 
patents cannot be used for purposes of the present invention 5 mission. In addition, it is possible even in the first and third 
because they surrender control of the electronic mail to the preferred embodiments to transmit the viewer applet's pub- 
recipient once the message has been forwarded or replied to. lie key back to the sender to ensure that the message is kept 

Those skilled in the art will appreciate that although the private even from the central server, 

invention is designed to enable the originator of a message In the case where a central electronic mail server is 

to set a date, time, or event at which all incarnations of the 10 provided, distribution of the viewer applet may be accom- 

message will self-destruct, the technology that causes all of plished by downloading the viewer applet from the server 

the incarnations to be destroyed also permits the originator upon request from the recipient, or automatically with the 

of the message to cause only some of the incarnations of the electronic mail. Alternatively, the software may be transmit- 

message to be destroyed. For example, the originator might ted directly from the originator software to a recipient as an 

wish to permit saving of copies of the message sent to his or 15 electronic mail attachment without intervention of an elec- 

her attorneys from the general self-destruction, or the origi- tronic mail server, the attachment being self-executing upon 

nator might wish to extend or foreshorten the expiration date opening by the recipient. The viewer applet preferably also 

for certain recipients of the message. includes message origination software, which may option- 

Hiere are currently three principal preferred embodiments ally °* activated either freely or upon payment of a regis- 
of the invention, but the invention is not intended to be 20 tration or subscription fee, or the message origination soft- 
limited to any of the preferred embodiments. In a first ware may be provided as an upgrade or separate plug-in 
preferred embodiment of the invention, control of expiration program distributed through the usual software distribution 
and access to the electronic mail message is achieved by channels. 

storing the electronic mail message on a designated central The message origination software may, in one preferred 

electronic mail server, e ncrypting the messa g e with a public 25 implementation, have an interface that resembles those of 

key generated by viewer software at the receiving end T and conventional electronic mail programs, but with the addition 

transmitting the electronic mail message to the recipient of buttons that permit setting of an expiration date and, 

whenever viewing is desired by the viewer and permitted by optionally, other handling or processing limitations or rights, 

the originator. such as forwarding limitations or rights, as well as the right 

In a second preferred embodiment of the invention, the 30 to print, and that cause appropriate flags to be toggled or set 

encrypted el ectronic mail message is stored on the recipi- in the IDP or in a header portion of the electronic mail 

^t'S Computer ana access to__the_message is '(^'n'troTle3 object. 

solely by viewer sottware also installed o n, fre recipient'^ Alternatively, the message origination software may take 

computer. In this embodiment, session keys can still be 35 the form of a "control applet" that creates a window in 

provided* by the central server before viewing of the locally resp onse to the execution in an existing electronic mail 

stored message is permitted, either on a session-by-session pr ogram ot the "send" command, and which queries the 

basis or periodically, or the viewer software can at least be or iginator as to whether the above-mentioned lites pan or ' 

required to check-in with the central server before viewing other handling limitations are desired . It the originator 

is permitted so as to ensure that the recipient computer's 4Q indicates that controls are desired, the control applet 

clock is accurate and that the message will be expunged prompts the user for necessary information such as an 

upon the occurrence of the selected time, date, or event. expiration date , and proxies the message to the central mail 

In the third preferred embodiment of the invention, which server in the :ase of the first and third embodiments, or 

is added by the present continuation-in-part application, encrypts the message after an exchange of keys and sends 

control of expiration and access rights to the electronic mail 45 the message directly to the recipient's computer in the case 

message is achieved by delivering a stripped version of the of the second embodiment. The trigger for creating the 

message in encrypted form via the designated central mail window may be an intercepted send command, in which 

server to the recipient's viewer software for storage on the case me control applet may include a shim positioned 

recipient's computer, and by retaining in the central mail between the originator's existing electronic mail program 

server the message wrapper, handling and encryption-key 50 and tne SMTP stack. 

information, and/or portions of the message, thereby requir- Instead of or in addition to the inclusion of a control 
ing the viewer applet to report back to the central server each applet as described above, the lifespan and handling controls 
time the message is to be viewed or bandied to enable the of the invention may be implemented by modifying the 
central server to directly control and track each transaction message originator's address book so that all of selected 
involving the message. 55 outgoing messages are automatically proxied to a central 
In each of these preferred embodiments of the invention, mail server for encryption, sending, and future handling of 
the encryption system by which message access to the the message. Control options may be selected through a 
viewer software is limited is preferably a public key/private dial °g box al the time the user enters recipient information, 
key cryptosystem. In the first preferred embodiment of the as part of the address book set-up, or as part of a separate 
invention, the public/private key pairs include a central 60 program that permits selection of control options and auto- 
server public/private key pair generated by the central server matically modifies all or selected addresses already in the 
and a viewer public/private key pair generated by the viewer address book. 

applet, either once or each time a message is to be read, the In each version of the message origination or message 
public key of the central server being used to encrypt the control software, it is possible to include a message cancel- 
message for transmission from the sender to the central 65 lation feature or "oops" button that allows immediate can- 
server, and the viewer applet's public key being transmitted cellation or deletion of a message after sending, or cancel- 
from the viewer applet back to the central server for use in * lation of a message before the designated expiration date, 
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time, or event, by sending a cancellation message to the FIG. 2 is a schematic view showing the manner in which 

central server or recipient's viewer applet. a message is forwarded in the electronic mail system of FIG. 

Upon the date, time, or event at which message expunging 1. 

is to occur, the invention provides for triple erasing of the p\Q 3^3 flowchart of a method corresponding to the 

message by the central server, in the case of the first 5 electronic mail system of FIG. 1. 

preferred embodiment, or by the viewer applet, in the case A , r - . . 

of the second preferred embodiment. In addition, either 9" 4 * howsa m ™ for S ° ftWare im P le ' 

embodiment but particularly in the case of the second renting the method of FIG. 3. 

preferred embodiment, expunging of the message can be FIG. 5 shows a message preparation screen for software 

accomplished by triple erasing such encryption keys as to 1Q implementing the method of FIG. 3. 

render its encryption impossible. If the first preferred FIG. 6 is a schematic view of a variation of the electronic 

embodiment of the invention is utilized, then triple erasing ma fl S y S tem of FIG 1 

the message will ensure that the sent message is completely m (j f & h jation of , h 

expunged from the face of the earth since the central server . t c „. ^ . 

maintains the only copy of the message. On the other hand, elec tromc mal1 svs tem ° f 

while the second and third preferred embodiments of the 15 FIG. 8 is a schematic view of an electronic mail system 

invention may not necessarily prevent copies of the constructed in accordance with the principles of a second 

encrypted electronic mail object from being made, erasing of preferred embodiment of the invention, 

the decryption key or setting of the viewer so that it will no FIGS. 9-11 are schematic views which illustrate the effect 

longer decrypt the electronic mail object ensures that the obtained by the system and method of the invention, 

"message," as opposed to the mail object, is still effectively 20 ^ yersion of ^ declronic 

expunged from the face of the earth. ^ ^ interface . q nGS 4 and 5 

In addition to providing lifespan or handbng limitations, . 

the system and method of any of the above embodiments of FIG. 13 is a flowchart showing the manner in which the 

the invention may be arranged to also enable selection of electronic mail user interface of FIG. 12 is implemented, 

which portions of the electronic mail wrapper are to be 25 FIG. 14 is a schematic view of a further variation of the 

deleted or transmitted to the recipient. When either the electronic mail user interface illustrated in FIGS. 4 and 5. 

central server or viewer applet receives a message, it can FIG. 15 is a flowchart illustrating an embodiment of the 

transmit as much or as limited a record of the wrapper to the invenlion ^ which information from the message wrapper is 

recipient as may be determined by the central server or QT transmitled ^ lhe message . 

viewer applet, allowing the central mail server to, by way of 30 7 

example, strip the date the message was sent or some or all FIG - 16 1S a schematic view of a third preferred embodi- 

of the sender data from the sent message before delivery to ment of the invention in which a central mail server retains 

or viewing by the recipient, control of the message while permitting a stripped version of 

In an especially useful extension of the concept of the first the message to be stored on a recipient's computer, 

and third principal embodiments of the invention, both of 35 FIG. 17 is a schematic diagram of the manner in which the 

which involve the use of a designated central mail server to invention may be used to compile mailing lists and identify 

provide encryption functions and to control future handling affinity groups, 
of messages, the central mail server can be arranged to track 

^transactions involving a message and compile records of the DETAILED DESCRIPTION OF THE 

transactions. If desired, the records of all transaction infor- PREFERRED EMBODIMENTS 

mation about the usage and handling of the message, 40 . . 

referred to hereinafter as the message completion space A M pirated m FIG. l a system consmicted in accor- 

(MCS), can also be divided into subspaces, and information dance ™th the P™ciples of a first preferred embodiment of 

gathered with respect to the entire MCS or selected the invention includes an electronic mail server 1, message 

subspaces, such as the subspace of all recipients with a origination software 2 resident on a sender's computer 3, 

particular electronic mail address domain, the group of 45 and a viewer applet 4, which may already be installed in the 

persons to which a particular recipient has forwarded a recipient's computer 5 or supplied by server 1 during 

message (which may be referred to as an "affinity group" for delivery of a message. Although illustrated as discrete 

that recipient), the group of recipients who have handled a entities in FIG. 1, the message origination software 2 and 

message in a particular way, the group of recipients who viewer applet 4 are preferably integrated into a single 

have received an nth level forward, and so forth. In addition, 50 program or applet, as will be explained in more detail below, 

not only can information related to the subspaces be ^ basic concept underlying this embodiment of the 

obtained, but control of the messages, including control of invention is to control viewing and handling of the elec- 

message litespan, dandling, and of the message wrapper c^n lronic mail m e b retaini the m e on the elec . 

thenbednjc^^ ironic mail server I and requiring the recipient to view the 

recipierns m^pJnBx^ ^^J~ $5 m ^ ^ yiewer kt ^ whicfa ^ ^ ^ 

Finally, to protect the privacy of system users, thej^ factions mdicated b ^ ori inalor of the mess Use of 

c^oUm^m ^ given the opportunity , to , optKMU of the viewer t0 view lhe m ^ ensured D encrypling lhe 

the inform ahon gathering process, or be requiredtp5ot^ j. *u . *u • 1 . 

before being included in a^adce dlaffimS^Siip. ^GlteT me f a ^ transmittin S th ^ messa f the viewer app et, 

^pTi6nlsls?e^a^^ that any ™ ih ^ the viewer applet having the ability to decrypt the 

members identified with an affinity group will already have message, and the viewer applet retaining only transient 

affirmatively indicated their willingness to be identified with stora g e of the message. Since the message permanently 

the group. exists only on server 1, erasure of the message from storage 

associated with the server expunges the message from 

BRIEF DESCRIPTION OF THE DRAWINGS existence. Even if copying of the message were permitted, 

FIG. 1 is a schematic view of an electronic mail system 65 for example for the purpose of placing the message in 

constructed in accordance with the principles of a preferred different folders or storage areas, all copies of the message 

embodiment of the invention. would still reside in the server's secure storage area and 
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therefore be subject to deletion at the time, date, or event electronic mail address assigned by the system, then the 

preset by the message originator. Conversely, control of the originator software must encode part or all of the original 

message in this manner also enables the originator to des- address in the message header following the DATA 

ignate different expiration dates for different recipients, or command, and substitutes an address in the form < . . . 

even to except certain recipients from the expiration date or 5 >.<cs>.com, where < . . . > can be any local designator 

other controls. convenient for the central server, such as an indicator that 

As illustrated in FIG. 2, this set-up enables forwarding of the recipient is not a subscriber, or an account number of the 

the message without surrendering control of the message. A originator. Upon receipt of the electronic mail message, the 

forwarding request from the original recipient is handled in central server reads the recipient's actual address from the 

exactly the same manner as a request by the recipient to view 10 header and uses that address to establish initial communi- 

the original message, i.e., by notification sent by the central cations with the recipient. 

server to the intended recipient of the forwarded message Also in the message header, as mentioned above, are 

that an electronic mail message has been received, by fields for including control information used to enable or 

downloading a viewer applet as necessary, and then by disable electronic mail processing or handling functions, 

transmitting the message to the installed viewer applet 7 on 15 such as printing, copying, or forwarding, as weJI ^ a field 

the forwarded message recipient's computer 8. Although that sets the expiratio n fcyp. hW nr pypnt (*nrh a* evpi™. 

illustrated as a direct connection between the server 1 and t ion upon, ,™? fjjpp,) Thpgi " fields can be in the form of flags 

the computer 8, those skilled in the art will appreciate that that are toggled on or off by the message origination 

server 1 and computer 8 could be connected to different software, or may include more detailed control information, 

nodes of the Internet, and that forwarding of the message 20 such as provision for enabling forwarding upon entry of a 

may involve a second, local central electronic mail server password or fulfilling of designated conditions, and as 

(not shown). indicated above may also be in the form of IDPs, SMTP 

Because the message is stored only at the central server 1, service extensions, or any other portion of the electronic 

sender control of additional processing or handling functions mail object that can be parsed by the central server and that 

can easily be provided by designating portions of the origi- 2 5 w ^ not a ^ ect l ** e ^asic routm g of the message to the central 

nal message header as control bits or flags, which are read server 1. 

by the server or directly forwarded to the viewer applet on Although the communications link from the origination 

the recipients computer, and which selectively disable func- software to the server is a standard electronic mail commu- 

tions provided by the viewer applet 4. For example, for- nications channel, the transmission of the message from the 

warding of the message can easily be prevented by the 30 central server I to the recipient's computer 5 may optionally 

central server 1, without involving the viewer applet 4, by be carried out through a channel established by the recipi- 

simply having the central server refuse forwarding requests. ent's Internet browser, i.e., through a standard http 

On the other hand, prevention of copying or printing of the (hypertext transfer protocol) connection, rather than through 

message would normally be carried out by disabling (or an SMTP or IMAP connection, allowing delivery of elec- 

conversely by not enabling) copy or print functions of the 35 tronic mail to HTTP-based electronic mail software or to 

viewer applet 4. devices other than a personal computer, such as a WebTV™ 

The electronic mail server 1 may be configured to receive or similar appliance. The viewer applet may thus be imple- 

and process electronic mail messages using any electronic mented as a Internet browser plug- in utilizing a technology 

mail protocol and transmitted over any suitable medium, such as Active-X, an executable program that works within 

including media involving such technologies as biochemical 40 the Internet browser in the manner, for example, of Adobe 

or molecular transmission and/or storage that have yet to be Acrobat™, a Java applet with native file level BIOS access, 

implemented. For purposes of the present description, the or an extension to an operating system such as Microsoft 

electronic mail protocol will be assumed to be SMTP, but the Windows NT™ or LINUX 

invention is not intended to be limited to any particular If a viewer applet 4 has not already been installed on the 

transfer protocol. In addition, it will be appreciated that any 45 recipient's computer, it may be delivered as a self executing 

message sent from the message origination software 2 to the attachment to a standard electronic mail notice from the 

server 1 maybe routed through a number of different servers server 1. The notice indicate s that sender-controlled elec- 

(not shown) after initial contact with a local gateway server tronicmail has be en received a na mat, [Q ^evnhTmej sage , 

in the manner of a standard electronic mail message. Under the sender must open the attachment and follow the direc- 

SMTP, the origination software is only responsible for 50 tions provided by the applet installation program. In 

supplying the destination address to the local server, which addition, the viewer applet may be saved to a magnetic disk 

relays the destination address to other servers using, for or other portable storage medium 6 so that e-mail can be 

example, the DNS registration system of the Internet, and viewed from remote locations, or the viewer applet may be 

ultimately to the destination, which in this embodiment is protected by hardware such as a smartcard. 

the address of server 1. Under certain electronic mail 55 In order to encrypt the message in a form that can only be 

protocols, it is possible to include the server address under read by the viewer applet, some sort of key exchange 

routing information, although the SMTP protocol discour- between the viewer applet 4 and the server 1 is necessary. In 

ages such routing, and thus in the preferred embodiment of the preferred embodiment of the invention, this is accom- 

the invention the address of the recipient is inserted by the plished by having the viewer applet generate a private/public 

message origination software into the message header rather 60 key pair and sending the public key to the server so that the 

than as a destination (RCPT) command. server can encrypt the message by the public key of the 

By way of illustration, if the recipient is already a recipient's viewer applet, the encrypted message therefore 

subscriber to the system or has a viewer applet installed, the being readable only by the viewer using the viewer's private 

recipient's address will be in the form of key. A new public private key pair could be generated for 

<recipient>@<cs> .com, where cs is the domain name of the 65 each session, or the public key of the recipient could be 

central server and <recipient> is an address that has been stored by the server for retrieval each time a message 

assigned to the recipient. If the recipient does not have an addressed to the recipient is received. While generation of 
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the public keys can be achieved by a variety of known 
methods, one possible method is to generate the public key 
based on the variation of times between a user's key strokes, 
which is known to be a true random number, thereby 
ensuring the uniqueness of encryption keys for each applet. 

Alternatively, instead of using a public key generated by 
the recipient to protect the message, those skilled in the art 
will appreciate that it is also possible to include the neces- 
sary key in the applet itself prior to downloading, in which 
case the decryption key could be a shared secret key, or to 
mutually generate a session key during a handshaking 
procedure in which exchange of portions of the session key 
is carried out using a secret key that has previously been 
transferred to the viewer applet. Other encryption or mes- 
sage protection methods such as chaffing could also be used 
and the invention is not intended to be limited to any 
particular encryption method. 

As indicated above, delivery of the message from the 
message origination software 2 to the server 1 is preferably 
via a standard electronic mail connection. Even though 
encryption of the message by message origination software 
2 will not normally affect handling of the message by the 
recipient, since the message will be encrypted by the central 
server 1 before delivery to the recipient, the message is 
nevertheless preferably also encrypted before sending to the 
central electronic mail server 1 to ensure that the message 
will not be intercepted and copied during transit. Again, the 
invention is not intended to be limited to a particular 
encryption method, although in the preferred embodiment 
public key encryption is used. 

When encryption is used to protect the message during 
transit to the central server 1, the public key used to encrypt 
the original message can either be the public key of the 
server, in which case the message must be decrypted and 
re-encrypted by the server prior to deliver, or the public key 
used to decrypt the message can be the public key of the 
recipient, in which case the electronic mail server would not 
need to decrypt the message before sending it to the recipi- 
ent's viewer applet. Of course, the original message can be 
initially encrypted in a form that cannot be decrypted by the 
server, and then further encrypted by the public key of the 
server, so that eveo if the server decrypts and re-encrypts the 
initially encrypted message, it will still be unreadable by 
anyone but the intended recipient. 

As shown in FIG. 3, the method of the preferred system 
embodiment illustrated in FIG. 1 begins with the composi- 
tion of an electronic mail message by the originator of the 
message, and designation of an expiration date and other 
handling or processing limitations (step 100). The originator 
software then encrypts the message using the public key of 
the central mail server or possibly the public key of the 
recipient (step 110), and creates an electronic mail object by 
attaching a header containing routing information, the expi- 
ration date, and other handling or processing instructions 
using an appropriate format (step 120). 

In the case of the SMTP transmission, the originator 
software opens a connection to a gateway server (step 130). 
After the gateway server responds with a welcoming 
message, the message origination software sends a MAIL 
command which includes the sender identifier and, option- 
ally a service extension or mail parameters, followed by an 
RCPT command, which identifies the recipient as the central 
mail server (step 140). In order to simplify use of the 
message origination software, it is preferable that the user of 
the message origination software be able to enter the recipi- 
ent's normal electronic mail address even if the domain 
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name is not the same as that of the central server, with the 
message origination software being arranged to substitute 
the central server's address in the RCPT command and to 
insert the ultimate recipient's address in the header. In this 

5 respect, the central server functions as a proxy server whose 
operation is transparent to the sender. 

Upon delivery of the encrypted message, if the message 
has been encrypted with the recipient's public key, then it is 
not necessary for the server to decrypt the message, but if the 

10 message has been encrypted by the message origination 
software 2 with the server's public key, the central server 
decrypts and parses the message for control information 
(step 150). In either case, the s erver then stores.th eLmessage- 
(step 160) and notifies the intended recipient that a message 

35 has been received (step 170). 

If the message has no expiration date or other access or 
processing limitations, the message may optionally be sent 
directly to the subscriber in the manner of a conventional 
electronic mail message, but if the message has an expiration 

2Q date and other access or processing limitations, and a viewer 
has been installed, the public key of the recipient is retrieved 
(step 180) and the message is encrypted by the public key 
generated by the recipient's viewer applet 4 (step 190). If a 
viewer has not already been installed, then the additional 

25 steps of installing the viewer applet on the recipient's 
computer (step 200) and generating a public key (step 210) 
must be performed. 

When viewing of the message is desired by the recipient 
and the message has not expired, the viewer applet 4 

30 establishes a connection to the central server 1 (step 220) 
and the central server 1 transmits the encrypted message to 
the viewer (step 230), subject to any use or handling 
limitations. 

Finally, u pon occurrence of an orig i nator preselected 

35 gyest (such as reading of the message or failure of a 
recipient to check-in with a security agency) and provide 
proper identification, th e message is deleted from storage 
(step 240), thus completing the method of the first preferred 
embodiment of the invention. Depending on the operating 

40 system used by the server, deletion might require special 
procedures such as triple erasure in the case of a Windows 
95™ or Windows NT™ operating system and, in addition, 
the system of the preferred embodiment can provide for 
notification of the message originator upon successful expi- 

45 ration of the message together with, or in addition to, a 
report on the life history of the message such as a description 
of who received the message, who opened it, to whom it was 
forwarded, who modified it, who printed it out, and the dates 
and times when reception, forwarding, modification, print- 

50 ing and so forth occurred. 

The user interfaces for the message origination software 
and viewer applet may be designed to be similar to that of 
a conventional electronic mail program. Preferably, the 
viewer and origination software are combined into a single 

55 program, although certain features of the message origina- 
tion software, such as the expiration date and ability to insert 
processing or handling controls, may be kept inactive upon 
initial download until the software is registered or a sub- 
scription fee is paid, or activated only for a trial period. This 

60 combined software package can include all of the function- 
ality of a conventional electronic mail or messaging 
program, such as Microsoft Outlook Express™, Corel 
Central™, Netscape Messenger™, or Lotus Notes™, 
including the ability to create and receive non-encrypted 

65 electronic mail messages. 

In particular, as illustrated in FIG. 4, the combined viewer 
and origination software user interface may include a main 
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message screen 200, menus 210, and/or function bars 220 to directly to tbe recipient through conventional channels, or 

manage or enable use of such features as electronic mail can still be routed through the central mail server for 

receiving, filing, editing, and forwarding, as well as a folder handling in a conventional manner. 

display window 230, a file listing window 2A0, a file viewing wil , ^ appreciated by , bose ^led in the art that 

window, and an attachments window 260, all of which 5 j^,^ of a sin le , ha , Qls all of the 

resemble those of the conventional electronic mail client. ; , be ^ a main , ha( 

Accordmg to the pnnc.ples of he invention when a mes- ^ oQ tf contro , 

sage .s received with a flag tn the header indicating that a £ lioQs are ^ , * form aQd ^ of ^ 

function, such as the forwarding function is d»bled he ^ dows be yaried fa desired , n 

corresponding button or menu item is also disabled and the 10 / , et be M of ^ ^ 

display screen is modified to indicate in conventional fash- . 4 .f ' / ,. 4 . , . f 

i_ , , . . • • j jji i t . electronic mail program, or as a separate application which 

ion that the button or menu item is disabled. In addition, the , 4| _ i » *j ♦ i j*u r 

. j ... . -_ A ' shares the same socket or transport driver layer and therefore 

mam message screen may provide an indication 270 of the . . , . . . . , , 

. . , & * v , .... is able to intercept the send command, 

expiration date of the received message, or an indication 280 r 

of other limitations, such as a read once limitation. 15 M Pirated in FIG. 13, the control applet of this 

Tnose skilled in the art will appreciate that the message embodiment of the invention initially runs m the background 

and filing functions provided on the main message screen as the message onginator uses existing software to create a 

actually involve manipulation of messages that exist, in the messa * e < ste P 4C f). Upon recognition of a send command, 

preferred embodiment of the invention, only on the central the messa S e sender applet opens a window to prompt th e 

server 1. In this respect, the system of this preferred embodi- 20 megagej^fflnator for control options (step 410) encrypts 

ment works in the same manner as an IMAP mail server, ana/or moaiiies the electronic mail package in the manner 

with the addition of expiration date and other use limitations. des f> c * a *> ve < s 420 > and ^3™* T\ 

However, in the case of new message creation, or if the P acka & e t0 he c ' Dtral mai1 x ™ ]' i D ° k° 

content of a received message is editable, text editing °P tl0n * * lccte * *f m ™"& m ^ * ihrou * h COD " 

functions can be performed locally. 25 venUonal channels < ste P 430 >' 

An example of a message preparation or creation screen In the variation illustrated in FIG. 14, the dialog box 27 

300 is illustrated in FIG. 5. This screen is presented upon for entr V of addresses into an electronic mail address book 

selection of one of the "Reply/' "Forward," or "New" 28 may be modified to include message control opUons 29. 

message buttons of screen 200, and includes conventional ^ addresses for which a control option is selected, and 

boxes 310^20 for respectively entering addresses and text. 30 °P tlona lly other addresses, are automatically routed to the 

In addition, the message creation screen 300 includes but- central mai1 **™ T for encryption and control of future 

tons 320 that enable the user to cause the message origina- handlul g ™ d expiration of the message. The control applet 

tion software to insert into the header flags to activate use of of ih * embodiment can be arranged to present a dialog box 

processing limitations. Buttons 330 include, by way of each tune a new address 15 entered ' 45 illustrated, or to 

example, a button 340 that limits forwarding, a button 350 35 P rovide the address book with a common control option 

that prevents editing by the recipient, a button 360 that dialo S box which ^ 0001101 °P tions for aU messages 

permits the message to be read once, a read-by date button entered m . ^ book » or for selected messages based on 

370, and an expiration date button 380. When any of the predetermined criteria. 

latter three buttons is pressed, the message originator is An additional feature that can be added to each of the user 
prompted for a date, which is then inserted into the message 40 interfaces illustrated in FIGS. 4, 5, and 14 is an "oops" 
header and may appear in a confirmation window 390. The button (shown only in FIG. 4) that enables immediate 
read-by date differs from the expiration date in that the cancellation of a message after the message has been sent to 
message will immediately be expunged after reading, or the central server by having the message origination soft- 
expunged on the desired date even if the message has not ware send a follow-up cancellation request. This is similar to 
been read, whereas the expiration date button permits the 45 the cancellation request described in U.S. Pat. No. 5,870, 
message to be read as many times as desired before the 548, but with cancellation ensured through the operation of 
expiration date. the central server as described above. To facilitate 
In an alternative to the software illustrated in FIGS. 4 and cancellation, the server could provide a short time-delay 
5, control of the lifespan and handling of an electronic mail before permitting viewing of the message, 
message may be achieved without replacing the message 50 In addition to providing for control of lifespan, 
originator's existing electronic mail program. Instead, in this processing, or handling of the message by all potential 
variation of the user interface illustrated in FIGS. 4 and 5, as recipients, the system and method illustrated in FIGS. 1-3 
illustrated in FIG. 12, a control applet is arranged to open a enables control of how information from the electronic mail 
window 20 that presents the message originator with control wrapper, such as the identity of the sender and the lime lhat 
options after the message has been created and sent using the 55 the message was sent, is coupled to the message and 
message originator's existing electronic mail program 21. presented to the recipient. For instance, the server could strip 
The control applet is in the form of software arranged to transmission time information from the wrapper and the 
intercept the "send" command of the protocol used by the applet could present message sender identification sepa- 
existing electronic mail program and, in response, to open rately from the message itself, i.e., the recipient would be 
window 20 which presents the message originator with the 60 unable to simultaneously see both the message sender iden- 
option of selecting various message life and handling con- tification and the message. As illustrated in FIG. 15, this may 
trols 22. If any of the message life and handling controls are be accomplished in the same manner as the other control 
selected, the message is sent to a central mail server corre- options, i.e., by using a central mail server to append 
sponding to the server of the first embodiment of the appropriate electronic mail wrapper control information 
invention (or a server corresponding to the principal 65 before forwarding the message to designated recipients (step 
embodiment described below) for appropriate handling. If 500), and by having a viewer applet installed on the recipi- 
no control option is selected, the message can be forwarded ent's computer decode the selected control options, search 
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for appropriate fields in the message wrapper, and carry out tralized computer network connecting the originator with a 

the desired wrapper controls by for example deleting various recipient through a clearing-house (the central server of the 

items from the wrapper, such as the identity of the sender first preferred embodiment), or even without the interven- 

and/or the date or time when the message was sent, in tion of a clearing house (attachment of the viewer applet to 

response to the control information included by the central 5 the electronic mail message). 

server in the message header or IDPs as described above \ n a third embodiment of the invention, illustrated in FIG. 

(step 510) before presenting the modified electronic mail i$ f tne central server sends portions of the encrypted mes- 

package to the recipient or recipients (step 520). sage t o the viewer applet in a manner similar to that 

While the first preferred embodiment of the invention described above in connection with FIG. 6, but retains sole 

represents an especially straightforward way of limiting 10 possession of portions of the message package, such as the 

access and handling of electronic mail messages by storing wrapper, handling and encryption-key information, and/or 

the messages on the server and transmitting them to the portions of the message itself and stores this information in 

viewer applet, it is in principle possible to create a local store a central database 13. Unlike the variation of the first 

for the files while retaining access control by storing the files preferred embodiment shown in FIG. 6, the viewer applet 

in encrypted form on the recipient's computer, as illustrated 15 mus t request information from the central server each time 

in FIG. 6, leaving access to the files to the viewer, or central the message is to be viewed or otherwise handled, enabling 

control can be retained through the use of session keys the central server to track all transactions involving the 

depending on options selected by the sender. The central message for purposes to be explained in detail below, 

computer can then be used solely for functions of auditing, j n tn js embodiment of the invention, if the message is to 

billing, or tracking of message handling by recipients. 20 be f orwarc j e d, the viewer applet can either send its portion 

In the former case, the primary role played by the central of the encrypted message back to the central server for 

server 10 would be to extract the recipient's address from the forwarding, or it can send the encrypted message directly to 

message header, if the recipient is not already using the the recipient of the forwarded message, in which case the 

domain name of the server, and to supply the viewer applet forwarded message recipient's viewer applet would need to 

11, which creates a local storage area 12 on the recipient's 25 request provision of the central server's portion of the 

computer for encrypted files. Since the files are encrypted, message or other information necessary for viewing the 

viewing is effectively prevented unless the viewer is used, message. 

and thus control is still retained by the viewer program. p IGS 9 _n iu ustra te the dramatic results achieved by the 

In the latter case, the server may retain control of access ^ invention. As shown in FIG. 9, a message is being forwarded 

to messages by having the viewer obtain the necessary to numerous different computers situated in a widely dis- 

decryption keys from the server, either by obtaining a key persed locations. Although depiction of central electronic 

each time viewing is desired, by having the viewer renew the ma i] servers has been deleted from this drawing, it will be 

session key at predetermined intervals, or simply by having appreciated that the message and viewer applet may be 

the viewer applet check-ion with the central server periodi- ^ forwarded utilizing either of the two principle embodiments 

cally to verify that the clock used by the viewer applet has 0 f the invention, any of the variations thereof, or combina- 

nol been tampered with and/or has not malfunctioned. tions of the embodiments. In the header of the original 

In a still further variation of the first preferred embodi- message, and therefore of the forwarded messages, are flags 

ment of, the invention, illustrated in FIG. 7, the principle of setting an expiration date for the message, permitting or 

local storage of the encrypted message is extended still 4Q prohibiting forwarding, alteration, printing, or other mes- 

further by eliminating the encryption function of the central sage handling functions. At some point before the expiration 

electronic mail server 20, and instead having the message date, as depicted in FIG. 10, the message has been spread 

origination software 2 encrypt the message with the recipi- around the world and resides in encrypted form either on one 

ent's public key. In that case, server 20 serves only to supply or more central servers or in local protected storage, 

the viewer applet. 45 However, on the expiration date, as depicted in FIG. 11, the 

Those skilled in the art will note that each of the variations message is completely expunged from all storage areas 

shown in FIGS. 6 and 7 can use the same message origina- (assuming that the originator has not designated selected 

tion software and viewer applet. This is because the only addresses as exceptions from the expiration requirement), 

difference involves whether the server or the recipient is effectively wiping the message off the face of the earth. No 

initially addressed by the message origination software, and 50 existing electronic mail system has this capability, 

therefore whether the server's or the recipient's public key FIG. 17 shows a further capability of the system of the 

is used for encryption. invention, which provides even more dramatic and unex- 

In the second preferred embodiment of the invention, as pected results. As illustrated in FIG. 17, the central server of 

illustrated in FIG. 8, the viewer applet is itself attached to the a system corresponding to that of FIGS. 1 or 16, i.e., of a 

encrypted electronic mail message, and the central server is 55 system in which all messages are routed through the central 

eliminated entirely. As in the first preferred embodiment, the server, keeps a record of all transactions handled by the 

recipient of the message may be given the option of install- server, including forwarding of messages, allocation of 

ing or refusing the viewer applet in order to view the control and access rights, and so forth. This record may 

message. Alternatively, however, the viewer applet can be include, without limitation, information concerning who 

made self-executing since there is no need to register with 60 received the message, who forwarded the message, who 

the server, permitting the viewer applet to be spread like a modified the message, the electronic mail addresses of all of 

benign virus each time a recipient uses the applet to send or these entities, and the dates and times of all transactions 

forward a message. related to the users of the message. 

Those skilled in the art will appreciate that this decen- Although simple, the ability to keep records that track a 

tralization of the point of control of the distribution of 65 message through all incarnations is unique to the present 

electronic mail may have applicability to the distribution in invention, and has far-reaching effects. For convenience, the 

general of electronic information transmitted via a decen- above-mentioned set of all transaction information about the 
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usage and handling of the message may be referred to as the 
message completion space (MCS). Generally, the MCS of a 
message or group of messages will evolve over time, with 
some messages being forwarded over and over by an ever 
expanding set of entities essentially forever, although other 
messages may never be forwarded. The group of recipients 
defines an affinity group for the message, and the MCS may 
be divided into sub-spaces involving different transactions, 
affinity groups, or sub-groups thereof. For example, the 
sub-space of interest might be that part of the MCS that 
originates with a particular individual or group of individu- 
als and includes all of the recipients of messages originally 
forwarded by the particular individual or group. 
Alternatively, a subspace could be defined as including all 
recipients of the message whose electronic mail address is 
an America OnLine™, who have a ".gov" or ".edu" domain 
in their electronic mail address, or who have received the 
message as a result of an nth level forward. 

Once records as defined above have been collected, they 
can be provided to interested parties or subscribers for a 
variety of uses. Since the affinity group of a message consists 
entirely of persons who have something in common, namely 
someone that knew them believed that they would find the 
message in some way important and took the trouble to 
forward it to them, which is exactly the type of group that 
the provider of a service or product seeks to identify in the 
most efficient possible manner, there should be a high 
demand for the ability to contact these affinity groups. The 
following are examples of potential uses for contacting 
affinity groups: 

c) A business could use its own customer electronic 
mailing list to grow its customer base. Suppose, for 
example, that Mr. Beer, a home brew supplies sales 
company, e-mails a new beer recipe to all of its 
customers, with the opportunity for those customers to 
e-mail the new recipe on to anybody they think would 
be interested. That initial mailing has associated with it 
an MCS, which may be much larger than the original 
list and which has the amazing characteristic that it 
consists entirely of people who Mr. Beer's own cus- 
tomers thought would like to have the beer recipe. 
Furthermore, while the MCS of that mailing may take 
several months to grow to a stable full size, and may 
consist of many generations of forwards and 
re-forwards, once it is in place, it can be used all at 
once. In a microsecond, this whole new list, consisting 
entirely of qualified people who might be interested in 
Mr. Beer, and all of whom are potential new customers, 
may be contacted via e-mail. 

d) Government, political parties, nonprofit societies, 
church groups, special interest groups, and many other 
groups built on interest affinities can also use the 
MCS's generated from their electronic mailing lists to 
develop their groups. 

e) The MCS records also can be used as a basis for 
varying the controls or Limitations placed on a message. 
For example, the expiration date of a mailing could be 
extended for anyone in the MCS who has forwarded the 
message. Alternatively, the MCS records could be used 
to enable correction, cancellation, or deletion of mes- 
sages before the predetermined expiration date. 

Preferably, each member of an affinity group will have 
been given the opportunity to opt-in or opt-out of the group, 
for example by asking the recipient of a message to give 
permission to be included in the group when requesting keys 
to view the message, or upon indicating a desire to forward 
the message. 
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Having thus described various preferred embodiments of 
the invention with sufficient particularity to enable those 
skilled in the art to easily make and use the invention, and 
having described several possible variations and modifica- 
tions of the preferred embodiments, it should nevertheless 
be appreciated that still further variations and modifications 
of the invention are possible, and that all such variations and 
modifications should be considered to be within the scope of 
the invention. 

For example, although the present invention is particu- 
larly applicable to electronic mail systems, the principles of 
the first preferred embodiment of the present invention may 
also be applicable to other types of systems and methods for 
providing an originator of electronic information with con- 
trol over a recipient's distribution of the electronic informa- 
tion transmitted via a decentralized computer network con- 
necting the originator with a recipient through a clearing- 
house. According to the broadest principles of the first 
preferred embodiment, the originator of the electronic infor- 
mation assigns control information to the electronic 
information, the control information being at least one of 
e^m^atiQ|i criteria, distribution criteria, or operation criteria, 
andthesystem optionally stores the control information in 
a first database in communication with the clearing-house, 
with the clearing-house optionally being accessible to the 
originator and capable of sending the control information to 
the recipient. After receiving a control response from the 
recipient, the control response being generated eithejLai itQi 
matically or upon input by the user, the system may send a 
control module in the form of an application or signal from 
the clearing-house to the recipient J>ased.jCJiUhe«centfel-- 
r esponse and the conlc ^ Jnfara^^ After the control 
module is installed at the recipient device, the system may 
send the electronic information to the control module, which 
may in turn automatically restrict > dis < t rjauJiQn oJLthejelecr 
tronicTniormation accoramg to the control information. The 
recipient device can then play the electronic information 
according to the control information. 

Consequently, those skilled in the art will appreciate that, 
in view of the numerous modifications and variations that 
can be made without departing from the above principles, 
the scope of the invention should not be limited by the above 
description, but rather should be interpreted solely in accor- 
dance with the appended claims. 

What is claimed is: 

1. Electronic mail control software, comprising: 
means for opening a window arranged to enable a user of 

the electronic mail applications program to select 

(i) an original destination address to which an elec- 
tronic mail message created using the electronic mail 
applications program is to be sent, and 

(ii) control options to be applied to the electronic mail 
message; and 

means for causing the electronic mail control software to 
automatically substitute, without manual entry of a 
substitute address by the user, an address of a central 
mail server for the original destination address selected 
by the user in order to divert said electronic mail 
message to said central mail server, said original des- 
tination address being appended by the electronic mail 
control software to the message so that it can be read by 
the central mail server, the central mail server being 
arranged to forward said electronic mail message to 
said original destination address and to implement said 
control options if one of said control options is selected. 

2. Electronic mail control software as claimed in claim 1, 
wherein said control options include an expiration setting by 
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which the user may select a date, time, or event, the 
occurrence of which will cause said message to expire. 

3. Electronic mail control software as claimed in claim 1, 
wherein said control options include limitations on forward- 
ing by a recipient of said message. 

4. Electronic mail control software as claimed in claim 1, 
wherein said means for opening said window includes 
means for intercepting a send command generated by said 
electronic mail applications program and opening said win- 
dow in response to interception of said send command. 

5. Electronic mail control software as claimed in claim 1, 
further comprising means for modifying at least one entry in 
an address book of said electronic mail applications program 
to cause mail sent to said entry to be routed through said 
electronic mail server. 

6. A method of adding lifespan and handling limitations to 
an electronic mail message, comprising the step of: 

opening a window arranged to enable a user of the 
electronic mail applications program to select 

(i) an original destination address to which an elec- 
tronic mail message created using the electronic mail 
application program is to be sent, and 

(ii) control options to be applied to the electronic mail 
message, 

wherein, when one of said control options is selected by 
the user, the electronic mail application program auto- 
matically substitutes, without further entry of an 
address by the user, an address of a central mail server 
for the original destination address and appends the 
original destination address to the electronic mail mes- 
sage in order to divert the electronic mail message to a 
central mail server arranged to read the original desti- 
nation address and forward the electronic mail message 
to said original destination address and to implement 
said control options. 

7. A method as claimed in claim 6, wherein said control 
options include an expiration setting by which the user may 
select a date, time, or event, the occurrence of which will 
cause said message to expire. 

8. A method as claimed in claim 6, wherein said control 
options include limitations on forwarding by a recipient of 
said message. 

9. A method as claimed in claim 6, wherein the step of 
opening said window includes the step of intercepting a send 
command generated by said electronic mail applications 
program and opening said window in response to intercep- 
tion of said send command. 

10. A method as claimed in claim 6, further comprising 
the step of modifying at least one entry in an address book 
of said electronic mail applications program to cause mail 
sent to said entry to be routed through said electronic mail 
server. 

11. An electronic mail system, comprising: 

a first computer on which is installed message origination 
software and which is connected to a network capable 
of carrying an electronic mail wrapper that includes an 
electronic mail message; 

at least one recipient computer also connected to said 
network; and 

a viewer applet installed on said recipient computer, 
said viewer applet being arranged to decode control 
information appended to the electronic mail wrapper, 
search for sender-identity and message-origination 
fields in said wrapper and control, based on input to 
said message origination software, a manner in which 
information items in said sender-identity and message- 
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origination fields in said wrapper are presented to a 
recipient of the message, said control including selec- 
tion of which of said information items in said sender- 
identity and message-origination fields are to be 
presented, and control of coupling of the information 
and the message. 

12. An electronic mail system as claimed in claim 11, 
further comprising a central electronic mail server connected 
to said network, said electronic mail server being arranged 
to cooperate with said viewer applet to achieve said control 
of the manner in which the electronic mail wrapper is 
presented to the recipient. 

13. An electronic mail system as claimed in claim 12, 
wherein upon request by the recipient, said central mail 
server encrypts said electronic mail message and sends it to 
said viewer applet, and said viewer applet being arranged to 
decrypt said message so as to display said message with 
information deleted from said wrapper. 

14. A method of controlling an electronic mail message 
20 transmitted over a network comprising the steps of: 

before transmission of the electronic mail message over 
the network, enabling a user to attach limitations on 
processing and handling of the electronic mail message 
by a recipient; 
initially transmitting said electronic mail message over 

said network to a central electronic mail server; 
storing said electronic mail message at said electronic 
mail server; 

upon request by the recipient, causing said electronic mail 

server to encrypt said electronic mail message; 
causing the electronic mail server to send the encrypted 
electronic mail message to a viewer applet installed on 
said recipient computer; 
causing the viewer applet to store said encrypted message 

on the recipient computer; 
causing the viewer applet to enable viewing of said 
message by decrypting said electronic mail message 
using the viewer applet and a session key supplied by 
the central electronic mail server, wherein said message 
cannot be viewed by the recipient unless the viewer 
applet is used; and 
causing said central electronic mail server and viewer 
applet to implement said processing and handling limi- 
tations. 

15. A method as claimed in claim 14, wherein said session 
key is supplied by said central server each time said message 
is to be viewed. 

16. A method as claimed in claim 14, wherein said session 
key must be renewed periodically in order to view said 
message. 

17. A method as claimed in claim 14, wherein said viewer 
applet is required to establish communications with the 
central server periodically in order to ensure that a clock 
used by the viewer applet is functioning properly. 

18. An electronic mail system, comprising: 
A first computer on which is installed message origination 

software arranged to assign message processing limi- 
tations to an electronic mail message and which is 
connected to a network capable of carrying said elec- 
tronic mail message; 
at least one recipient computer also connected to said 

network; 
w viewer applet; and 

w central electronic mail server connected to said 
network, said message origination software being 
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arranged to send said electronic mail message to said 
electronic mail server, said electronic mail server being 
arranged to store information concerning said elec- 
tronic mail message and, upon request by the recipient, 
encrypt said electronic mail message and send it to said 
viewer applet, wherein said viewer applet is arranged to 
decrypt said electronic mail message as it is sent so as 
to display said message, 
wherein said viewer applet is also arranged to store at 



least a portion of said message that has been stripped of 10 ste p S 0 f : 



causing said viewer applet to request forwarding of said 
electronic mail message stored on said central mail server to 
a second recipient computer, encrypting said electronic mail 
message using a public key of a copy of said viewer applet 
installed on said second recipient computer, and sending 
said stripped electronic message to said second recipient 
computer for storage in a memory of the second recipient 
computer. 

24. A method of developing mailing lists, comprising the 



said information by said central server, 
wherein said message can only be viewed by the recipient 

using the viewer applet, and 
wherein said processing limitations are implemented by 

said central electronic mail server and said viewer 

applet. 

19. An electronic mail system as claimed in claim 18, 
wherein said message is encrypted by said central mail 
server using a public key generated by the viewer applet, 
said viewer applet being arranged to generate said public 
key and also a corresponding private key used to decrypt 
said message. 

20. An electronic mail system as claimed in claim 18, 
wherein said viewer applet is further arranged to permit a 
user to request forwarding of said electronic mail message to 
a second recipient computer, said central mail server being 
arranged to strip and store information concerning said 
message, a copy of the viewer applet installed on said 
second recipient computer being arranged to store said 
stripped message. 

21. A method of controlling an electronic mail message 
transmitted over a network, comprising the steps of: 

before transmission of the electronic mail message over 
the network, attaching limitations on processing and 
handling of the electronic mail message by a recipient; 

initially transmitting said electronic mail message over 
said network to a central electronic mail server; 

storing said electronic mail message at said electronic 
mail server; 

upon request by the recipient, encrypting said electronic 
mail message, sending the encrypted electronic mail 
message to a viewer applet installed on said recipient 
computer, and decrypting said electronic mail message 
as it is received by the viewer applet so as to display 
said message; and 

causing said central server and viewer applet to imple- 
ment said processing and handling limitations. 

22. A method of controlling an electronic mail message as 
claimed in claim 21, further comprising the steps of encrypt- 
ing said electronic mail message is carried out by said 
central electronic mail server using a public key generated 
by the viewer applet, said viewer applet being arranged to 
generate said public key and also a corresponding private 
key used to decrypt said message. 

23. A method of controlling an electronic mail message as 
claimed in claim 21, further comprising g the steps of 
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sending an electronic mail message to an initial list of 
recipients; 

requiring that versions of said electronic mail message 
that are forwarded to first additional recipients by said 
initial recipients be routed through at least one central 
mail server, said first additional recipients including 
recipients initially unknown to the sender and the 
central mail server; 

requiring that versions of said electronic mail message 
that are forwarded to second additional recipients by 
said first additional recipients be routed through said at 
least one central mail server, said second additional 
recipients including further recipients initially 
unknown to the sender and the central mail server; 

tracking all transactions involving said electronic mail 
message, including transactions by said original 
recipients, said first additional recipients, and said 
second additional recipients; and 

using a record of at least a portion of said transactions to 
expand said electronic mailing list to recipients not on 
the initial mailing list, and not initially known to the 
sender or to the central mail server. 

25. A method as claimed in claim 24, further comprising 
the steps of: before initial transmission of said message, 
attaching handling limitations to said message; and encrypt- 
ing said message so that it can only be viewed by a viewer 
applet supplied by said central server. 

26. A method as claimed in claim 24, further comprising 
the steps of: before transmission of the electronic mail 
message over an open network, attaching to the message a 
date, time, or event, the occurrence of which will cause said 
electronic mail message and all designated incarnations 
thereof to expire; and encrypting said electronic mail mes- 
sage so that it can only be viewed before the occurrence of 
said time, date, or even using a viewer applet installed on a 
recipient computer. 

27. A method as claimed in claim 24, wherein said record 
includes all addresses to which said message has been 
forwarded. 

28. A method as claimed in claim 24, wherein said record 
includes a subset of the addresses to which said message has 
been forwarded. 

29. A method as claimed in claim 24, further comprising 
the step of selling said expanded list. 
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